Merge 'cd/master' - update krebs.build.source

14 files changed, 115 insertions, 113 deletions

diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix
index 51d3bb8a7..ce937a744 100644
--- a/tv/2configs/backup.nix
+++ b/tv/2configs/backup.nix
@@ -2,41 +2,17 @@
 with lib;
 {
   krebs.backup.plans = addNames {
-    xu-test-cd = {
+    wu-home-xu = {
       method = "push";
-
-      src = { host = config.krebs.hosts.xu; path = "/tmp/xu-test"; };
-      dst = { host = config.krebs.hosts.cd; path = "/tmp/backups/xu-test"; };
-
-      #startAt = "0,6,12,18:00";
-      startAt = "minutely";
+      src = { host = config.krebs.hosts.wu; path = "/home"; };
+      dst = { host = config.krebs.hosts.xu; path = "/bku/wu-home"; };
+      startAt = "05:00";
       snapshots = {
-        minutely = { format = "%Y-%m-%dT%H:%M"; retain =  5; };
-        hourly   = { format = "%Y-%m-%dT%H";    retain =  4; };
-        daily    = { format = "%Y-%m-%d";       retain =  7; };
-        weekly   = { format = "%YW%W";          retain =  4; };
-        monthly  = { format = "%Y-%m";          retain = 12; };
-        yearly   = { format = "%Y";                          };
+        daily    = { format = "%Y-%m-%d";    retain =  7; };
+        weekly   = { format = "%YW%W";       retain =  4; };
+        monthly  = { format = "%Y-%m";       retain = 12; };
+        yearly   = { format = "%Y";                       };
       };
     };
-    #xu-test-wu = {
-    #  method = "push";
-    #  dst = { user = tv; host = wu; path = "/krebs/backup/xu-test"; };
-    #};
-    cd-test-xu = {
-      method = "pull";
-      src = { host = config.krebs.hosts.cd; path = "/tmp/cd-test"; };
-      dst = { host = config.krebs.hosts.xu; path = "/tmp/backups/cd-test"; };
-      startAt = "minutely";
-      snapshots = {
-        minutely = { format = "%Y-%m-%dT%H:%M"; retain =  5; };
-        hourly   = { format = "%Y-%m-%dT%H";    retain =  4; };
-        daily    = { format = "%Y-%m-%d";       retain =  7; };
-        weekly   = { format = "%YW%W";          retain =  4; };
-        monthly  = { format = "%Y-%m";          retain = 12; };
-        yearly   = { format = "%Y";                          };
-      };
-    };
-
   };
 }
diff --git a/tv/2configs/consul-client.nix b/tv/2configs/consul-client.nix
deleted file mode 100644
index 0a8bf4d75..000000000
--- a/tv/2configs/consul-client.nix
+++ /dev/null
@@ -1,9 +0,0 @@
-{ pkgs, ... }:
-
-{
-  imports = [ ./consul-server.nix ];
-
-  tv.consul = {
-    server = pkgs.lib.mkForce false;
-  };
-}
diff --git a/tv/2configs/consul-server.nix b/tv/2configs/consul-server.nix
deleted file mode 100644
index d10f9ea75..000000000
--- a/tv/2configs/consul-server.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ config, ... }:
-
-{
-  tv.consul = rec {
-    enable = true;
-
-    self = config.krebs.build.host;
-    inherit (self) dc;
-
-    server = true;
-
-    hosts = with config.krebs.hosts; [
-      # TODO get this list automatically from each host where tv.consul.enable is true
-      cd
-      mkdir
-      nomic
-      rmdir
-      #wu
-    ];
-  };
-}
diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix
index c300633bb..57c4620c4 100644
--- a/tv/2configs/default.nix
+++ b/tv/2configs/default.nix
@@ -8,20 +8,21 @@ with lib;
   krebs.build = {
     user = config.krebs.users.tv;
     target = mkDefault "root@${config.krebs.build.host.name}";
-    source = {
-      git.nixpkgs = {
-        url = mkDefault https://github.com/NixOS/nixpkgs;
-        rev = mkDefault "c44a593aa43bba6a0708f6f36065a514a5110613";
-        target-path = mkDefault "/var/src/nixpkgs";
+    source = mapAttrs (_: mkDefault) ({
+      nixos-config = "symlink:stockholm/tv/1systems/${config.krebs.build.host.name}.nix";
+      nixpkgs = symlink:stockholm/nixpkgs;
+      secrets = "/home/tv/secrets/${config.krebs.build.host.name}";
+      secrets-common = "/home/tv/secrets/common";
+      stockholm = "/home/tv/stockholm";
+      stockholm-user = "symlink:stockholm/tv";
+      upstream-nixpkgs = {
+        url = https://github.com/NixOS/nixpkgs;
+        rev = "77f8f35d57618c1ba456d968524f2fb2c3448295";
+        dev = "/home/tv/nixpkgs";
       };
-      dir.secrets = {
-        path = mkDefault "/home/tv/secrets/${config.krebs.build.host.name}";
-      };
-      dir.stockholm = {
-        path = mkDefault "/home/tv/stockholm";
-        target-path = mkDefault "/var/src/stockholm";
-      };
-    };
+    } // optionalAttrs config.krebs.build.host.secure {
+      secrets-master = "/home/tv/secrets/master";
+    });
   };
 
   networking.hostName = config.krebs.build.host.name;
@@ -67,6 +68,9 @@ with lib;
       nix.useChroot = true;
     }
     {
+      nixpkgs.config.allowUnfree = false;
+    }
+    {
       environment.profileRelativeEnvVars.PATH = mkForce [ "/bin" ];
 
       environment.systemPackages = with pkgs; [
@@ -98,12 +102,7 @@ with lib;
       };
 
       environment.variables = {
-        NIX_PATH =
-          with config.krebs.build.source; with dir; with git;
-          mkForce (concatStringsSep ":" [
-            "nixpkgs=${nixpkgs.target-path}"
-            "secrets=${stockholm.target-path}/null"
-          ]);
+        NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
       };
 
       programs.bash = {
@@ -142,7 +141,12 @@ with lib;
         '';
       };
 
-      programs.ssh.startAgent = false;
+      programs.ssh = {
+        extraConfig = ''
+          UseRoaming no
+        '';
+        startAgent = false;
+      };
     }
 
     {
@@ -160,12 +164,17 @@ with lib;
     }
 
     {
+      tv.iptables.enable = true;
+    }
+
+    {
       services.openssh = {
         enable = true;
         hostKeys = [
           { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
         ];
       };
+      tv.iptables.input-internet-accept-new-tcp = singleton "ssh";
     }
 
     {
@@ -177,7 +186,8 @@ with lib;
     {
       systemd.tmpfiles.rules = let
         forUsers = flip map users;
-        isUser = { group, ... }: hasSuffix "users" group;
+        isUser = { name, group, ... }:
+          name == "root" || hasSuffix "users" group;
         users = filter isUser (mapAttrsToList (_: id) config.users.users);
       in forUsers (u: "d /run/xdg/${u.name} 0700 ${u.name} ${u.group} -");
       environment.variables.XDG_RUNTIME_DIR = "/run/xdg/$LOGNAME";
diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix
new file mode 100644
index 000000000..aedf25823
--- /dev/null
+++ b/tv/2configs/exim-retiolum.nix
@@ -0,0 +1,8 @@
+{ lib, ... }:
+
+with lib;
+
+{
+  krebs.exim-retiolum.enable = true;
+  tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp";
+}
diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix
index f5f63d284..bcfea7821 100644
--- a/tv/2configs/exim-smarthost.nix
+++ b/tv/2configs/exim-smarthost.nix
@@ -1,4 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+with lib;
 
 {
   krebs.exim-smarthost = {
@@ -34,4 +36,5 @@
       { from = "mirko"; to = "mv"; }
     ];
   };
+  tv.iptables.input-internet-accept-new-tcp = singleton "smtp";
 }
diff --git a/tv/2configs/git.nix b/tv/2configs/git.nix
index 800deff1b..b8180085f 100644
--- a/tv/2configs/git.nix
+++ b/tv/2configs/git.nix
@@ -9,7 +9,7 @@ let
       enable = true;
       root-title = "public repositories at ${config.krebs.build.host.name}";
       root-desc = "keep calm and engage";
-      repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos;
+      repos = repos;
       rules = rules;
     };
   };
@@ -22,8 +22,8 @@ let
 
   public-repos = mapAttrs make-public-repo ({
   } // mapAttrValues (setAttr "section" "1. Miscellaneous") {
-    cac = {
-      desc = "CloudAtCost command line interface";
+    cac-api = {
+      desc = "CloudAtCost API command line interface";
     };
     get = {};
     hack = {};
@@ -39,6 +39,7 @@ let
     stockholm = {
       desc = "take all the computers hostage, they'll love you!";
     };
+    with-tmpdir = {};
   } // mapAttrValues (setAttr "section" "2. Haskell libraries") {
     blessings = {};
     mime = {};
@@ -98,7 +99,7 @@ let
         repo = [ repo ];
         perm = fetch;
       } ++
-      optional (length (repo.collaborators or []) > 0) {
+      optional (repo.collaborators or [] != []) {
         user = repo.collaborators;
         repo = [ repo ];
         perm = fetch;
diff --git a/tv/2configs/hw/AO753.nix b/tv/2configs/hw/AO753.nix
index acd9ee32b..72a40819f 100644
--- a/tv/2configs/hw/AO753.nix
+++ b/tv/2configs/hw/AO753.nix
@@ -1,4 +1,6 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
+
+with lib;
 
 {
   imports = [
@@ -39,8 +41,5 @@
     HandleSuspendKey=ignore
   '';
 
-  nixpkgs.config = {
-    allowUnfree = false;
-    allowUnfreePredicate = (x: pkgs.lib.hasPrefix "broadcom-sta-" x.name);
-  };
+  nixpkgs.config.allowUnfreePredicate = pkg: hasPrefix "broadcom-sta-" pkg.name;
 }
diff --git a/tv/2configs/hw/x220.nix b/tv/2configs/hw/x220.nix
index 8549311e7..7cec670fa 100644
--- a/tv/2configs/hw/x220.nix
+++ b/tv/2configs/hw/x220.nix
@@ -14,7 +14,6 @@
   networking.wireless.enable = true;
 
   #hardware.enableAllFirmware = true;
-  #nixpkgs.config.allowUnfree = true;
   #zramSwap.enable = true;
   #zramSwap.numDevices = 2;
 
diff --git a/tv/2configs/nginx-public_html.nix b/tv/2configs/nginx-public_html.nix
new file mode 100644
index 000000000..dc74f7f8d
--- /dev/null
+++ b/tv/2configs/nginx-public_html.nix
@@ -0,0 +1,15 @@
+{ lib, ... }:
+
+with lib;
+
+{
+  krebs.nginx = {
+    enable = true;
+    servers.default.locations = [
+      (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
+        alias /home/$1/public_html$2;
+      '')
+    ];
+  };
+  tv.iptables.input-internet-accept-new-tcp = singleton "http";
+}
diff --git a/tv/2configs/pulse.nix b/tv/2configs/pulse.nix
index 3db3532d5..e1894ca64 100644
--- a/tv/2configs/pulse.nix
+++ b/tv/2configs/pulse.nix
@@ -1,5 +1,6 @@
 { config, lib, pkgs, ... }:
 
+with lib;
 let
   pkg = pkgs.pulseaudioLight;
   runDir = "/run/pulse";
@@ -35,36 +36,43 @@ let
 in
 
 {
-  systemd.tmpfiles.rules = [
-    "d ${runDir} 0750 pulse pulse - -"
-    "d ${runDir}/home 0700 pulse pulse - -"
-  ];
-
-  system.activationScripts.pulseaudio-hack = ''
-    ln -fns ${clientConf} /etc/pulse/client.conf
-  '';
-
   environment = {
     etc = {
       "asound.conf".source = alsaConf;
-      #"pulse/client.conf" = lib.mkForce { source = clientConf; };
+      # XXX mkForce is not strong enough (and neither is mkOverride) to create
+      # /etc/pulse/client.conf, see pulseaudio-hack below for a solution.
+      #"pulse/client.conf" = mkForce { source = clientConf; };
+      #"pulse/client.conf".source = mkForce clientConf;
       "pulse/default.pa".source = configFile;
     };
-    systemPackages = [ pkg ];
+    systemPackages = [
+      pkg
+    ] ++ optionals config.services.xserver.enable [
+      pkgs.pavucontrol
+    ];
   };
 
   # Allow PulseAudio to get realtime priority using rtkit.
   security.rtkit.enable = true;
 
+  system.activationScripts.pulseaudio-hack = ''
+    ln -fns ${clientConf} /etc/pulse/client.conf
+  '';
+
   systemd.services.pulse = {
     wantedBy = [ "sound.target" ];
     before = [ "sound.target" ];
     environment = {
       PULSE_RUNTIME_PATH = "${runDir}/home";
-      #DISPLAY = ":${toString config.services.xserver.display}";
     };
     serviceConfig = {
       ExecStart = "${pkg}/bin/pulseaudio";
+      ExecStartPre = pkgs.writeScript "pulse-start" ''
+        #! /bin/sh
+        install -o pulse -g pulse -m 0750 -d ${runDir}
+        install -o pulse -g pulse -m 0700 -d ${runDir}/home
+      '';
+      PermissionsStartOnly = "true";
       User = "pulse";
     };
   };
diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix
new file mode 100644
index 000000000..d2bb9e6cf
--- /dev/null
+++ b/tv/2configs/retiolum.nix
@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  krebs.retiolum = {
+    enable = true;
+    connectTo = filter (ne config.krebs.build.host.name) [
+      "gum"
+      "prism"
+      "echelon"
+      "cd"
+      "ire"
+    ];
+  };
+  tv.iptables.input-internet-accept-new-tcp = singleton "tinc";
+}
diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix
index 0537fa7d8..23f90af05 100644
--- a/tv/2configs/vim.nix
+++ b/tv/2configs/vim.nix
@@ -7,11 +7,6 @@ let
       vim
     ];
 
-    # Nano really is just a stupid name for Vim.
-    nixpkgs.config.packageOverrides = pkgs: {
-      nano = pkgs.vim;
-    };
-
     environment.etc.vimrc.source = vimrc;
 
     environment.variables.EDITOR = mkForce "vim";
@@ -89,7 +84,7 @@ let
             \ | hi Normal ctermfg=White
 
     au BufRead,BufNewFile *.hs so ${pkgs.writeText "hs.vim" ''
-      syn region String start=+\[[^|]*|+ end=+|]+
+      syn region String start=+\[[[:alnum:]]*|+ end=+|]+
     ''}
 
     au BufRead,BufNewFile *.nix so ${pkgs.writeText "nix.vim" ''
@@ -110,6 +105,8 @@ let
 
       syn match String /"\([^\\"]\|\\.\)*"/
       syn match Comment /\(^\|\s\)#.*/
+
+      let b:current_syntax = "nix"
     ''}
 
     au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile
diff --git a/tv/2configs/xserver/default.nix b/tv/2configs/xserver/default.nix
index facde4e76..5cd17aa1d 100644
--- a/tv/2configs/xserver/default.nix
+++ b/tv/2configs/xserver/default.nix
@@ -37,7 +37,6 @@ let
       pkgs.ff
       pkgs.gitAndTools.qgit
       pkgs.mpv
-      pkgs.pavucontrol
       pkgs.slock
       pkgs.sxiv
       pkgs.xsel